<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><img src="https://info.threatstop.com/hubfs/notpetya.png" alt="notpetya"> <p><strong style="font-size: 12.1612px; background-color: transparent;">NotPetya</strong><span style="font-size: 12.1612px; background-color: transparent;"> ransomware, also known at </span><strong style="font-size: 12.1612px; background-color: transparent;">PetrWrap</strong><span style="font-size: 12.1612px; background-color: transparent;">, is a new virus currently ripping through Europe and is showing signs of moving onto the U.S. So far over 2,000 targets have been hit. These include Russia’s top oil producer, and Ukrainian Banks and Power Grid. Attacks have also been noted on the German Metro system, Denmark, France, Spain, and </span><a href="http://fortune.com/2017/06/27/petya-ransomware-cyber-attack-targets/" style="font-size: 12.1612px; background-color: transparent;">more</a><span style="font-size: 12.1612px; background-color: transparent;">. The name itself is derived from the original belief that this was a subset of the Petya malware on closer inspection, </span><a href="https://twitter.com/kaspersky/status/879749175570817024" style="font-size: 12.1612px; background-color: transparent;">Kaspersky Labs</a><span style="font-size: 12.1612px; background-color: transparent;"> has declared that this was incorrect and redubbed the new virus </span><strong style="font-size: 12.1612px; background-color: transparent;">NotPetya</strong><span style="font-size: 12.1612px; background-color: transparent;">.</span></p> <p><!--more--></p> <p>Ground zero for the infection stemmed from a hack on the <a href="https://twitter.com/thedefensedude/status/879764193913716737">MeDoc</a> accounting software. MeDoc is accounting software that has mandated use for tax purposes in Ukraine. The software contains a built-in update function. This morning MeDoc was updated and after the patch a series of background processes initiated. These processes reached out the <strong>NotPetya’s</strong> C&amp;C systems and downloaded the ransomware. 30-40 minutes after the infection the targeted files are scanned for and encrypted alongside the Master Boot Record (MBR).</p> <p><strong>NotPetya</strong> is moving quickly using multiple attack vectors to infiltrate networks, once inside a secured network the ransomware is using the NSA’s <strong>ETERNALBLUE</strong> vulnerability – the same used by <a href="https://blog.threatstop.com/this-past-weekend-made-all-of-us-wannacry">WannaCry</a>,&nbsp;<a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx">MS17-010</a>, WMI, and PsExec – to spread throughout the secured infrastructure. In addition to <strong>ETERNALBLUE,</strong> the file is also moving laterally through systems that allow PSEXEC to use Administrator rights. On top of this it also uses LSADump to get the Admin password to spread across the network, this last technique means it doesn’t even need to use <strong>ETERNALBLUE</strong> or the PSEXEC attacks to move through the network.</p> <p>This allows <strong>NotPetya</strong> to hit Windows systems that have been patched up to current, including Windows 10 systems.</p> <p>On infection, <strong>NotPetya</strong> scans for multiple file extensions including:</p> <pre>.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl</pre> <pre>.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg</pre> <pre>.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar</pre> <pre>.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx</pre> <pre>.vsv.work.xls.xlsx.xvd.zip.</pre> <p><img src="https://info.threatstop.com/hubfs/NotPetyaRansome%20Message.jpg" alt="NotPetya Ransom Message" style="width: 320px; margin: 0px 0px 10px 10px; float: right;" title="NotPetya Ransom Message" caption="false" data-constrained="true" width="320">These files and the system’s MFT are encrypted and a ransom message is displayed demanding $300 USD paid in Bitcoin.</p> <p>One major difference between <strong>NotPetya</strong> and its predecessor <strong>WannaCry</strong> is the lack of a killswitch.</p> <p><strong>WannaCry</strong> was defeated by the discovery of a killswitch domain. It is thought that its developers used a VM with a specific domain to determine that the ransomware was sandboxed for development purposes. When the domain was detected the virus stopped replicating. <strong>NotPetya</strong> appears to detect if it is sandboxed in a VM but does not use a domain killswitch to do this.</p> <p>In addition to this, <strong>NotPetya</strong> is changing its shell code to avoid detection by anti-virus (though many anti-virus programs do appear to be <a href="https://virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/">detecting</a> <strong>NotPetya</strong> under alternative IDs). Additionally, the code produced by the exploit is <a href="https://blog.comae.io/byata-enhanced-wannacry-a3ddd6c8dabb">cleaner</a> than previous attempts in that it properly builds SMBv1 header packets.</p> <p>One small ray of hope is that apparently, <strong>NotPetya</strong> uses a sleep timer post infection. Once the ransomware has hit a target computer it waits 30-40 minutes to begin encryption. Rebooting in this time period using a Windows recovery disk and fixing the MBR will clear the malware from memory and prevent being encrypted.</p> <p>Another way to recover the MBR (<a href="https://en.wikipedia.org/wiki/Master_boot_record">Master Boot Record</a>):</p> <p style="text-align: left; padding-left: 30px;">There are some reports that the following commands (entered on the command line) will help recover from <strong>NotPetya:</strong></p> <pre style="padding-left: 30px;"> bootrec /RebuildBcd<br> bootrec /fixMbr<br> bootrec /fixboot</pre> <p><span>If the MBR recovery is done after encryption this will restore the MBR, but unlikely to recover any encrypted files. This is obviously the more important step and efforts to find a decryption method are ongoing.</span></p> <p>Additionally it’s possible vaccination is by creating a file in C:\Windows with the file name <strong>perfc</strong> will prevent the ransomware from running and was discovered by 0xAmit</p> <blockquote class="twitter-tweet" data-lang="en"> <p dir="ltr" lang="en">98% sure that the name is is perfc.dll Create a file in c:\windows called perfc with no extension and <a href="https://twitter.com/hashtag/petya?src=hash">#petya</a> <a href="https://twitter.com/hashtag/Nopetya?src=hash">#Nopetya</a> won't run! SHARE!! <a href="https://t.co/0l14uwb0p9">https://t.co/0l14uwb0p9</a></p> — Amit Serper (@0xAmit) <a href="https://twitter.com/0xAmit/status/879778335286452224">June 27, 2017</a></blockquote> <p> <script async="" src="//platform.twitter.com/widgets.js" charset="utf-8"></script> </p> <p><span style="text-decoration: line-through;">Also – The initial location from which the malware seems to be download is in Iran, thus if you are GEO blocking Iran you should not get infected.</span></p> <p>ThreatSTOP Customers:</p> <ul> <li>Enable <strong>TSCritical General</strong> and <strong>TSCritical Ransomware IP Addresses</strong> in your policies to protect yourself from the Malware</li> <li>Enable Geo Protection from Iranian IPs - [Update 2] This will not save you from NotPetya, but will defend from Krol Ransomware and the LokiBot. [/Update 2]</li> <li>Disable SMBv1 If you have not done so yet.</li> <li>Backup, Backup, Backup!</li> </ul> <p><a href="https://twitter.com/0xAmit/status/879764284020064256" rel="" target="">Yara Rules for NotPetya</a></p> <p>&nbsp;<strong>Update 1</strong></p> <blockquote class="twitter-tweet" data-lang="en"> <p dir="ltr" lang="en">In addition to known vectors, ExPetr/PetrWrap/Petya was also distributed through a waterhole attack on <a href="https://t.co/j9DvYcEgW7">https://t.co/j9DvYcEgW7</a></p> — Costin Raiu (@craiu) <a href="https://twitter.com/craiu/status/880011103161524224">June 28, 2017</a></blockquote> <p><strong>Update 2</strong></p> <p><span>Some of the IP addresses blocked in our update for this ransomware outbreak are actually distributing lokibot and Karo Ransomware.</span></p> <p><strong>Update 3</strong></p> <p><span>Decryption of the data is impossible - Do not pay the ransom!</span></p> <p><span>More details in the <a href="https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/" target="_blank">Kaspersky Labs blog</a>&nbsp;and the <a href="https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b" target="_blank">Comae blog</a>.</span></p> <p><strong>Final update</strong></p> <p>It's estimated that over <a href="https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/" target="_blank">12,500 machines</a> in Ukraine alone were infected by the ransomware. Computers in at least 65 different countries have been infected, with Ukraine, the United States, and Russia topping the charts for the most infections.</p> <p>After infection and encryption of the files, there is no method available for decryption. This is due to several factors, including the cybercriminal's email address being <a href="https://posteo.de/en/blog/info-on-the-petrwrappetya-ransomware-email-account-in-question-already-blocked-since-midday" target="_blank">disabled</a>, and the possibility that the MBR/MFT are <a href="https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b" target="_blank">wiped</a>. Therefore, it is absolutely pointless to pay the ransom. The only solution is to restore from backup.</p> <p>The total damage created by NotPetya is limited compared to WannaCry, with the final tally showing that NotPetya pulled in <a href="https://qz.com/1016525/the-petya-ransomware-cyberattack-has-earned-hackers-20k-less-than-wannacry-in-its-first-24-hours/" target="_blank">$20k less</a> than WannaCry in the first 24 hours. The infection rate was also significantly lower than WannaCry's 45,000 computers across 74 countries in the first 24 hours. It's expected the criminals behind NotPetya will see a much less significant return on investment than those behind WannaCry.</p> <p>As <strong>NotPetya</strong> appears to be a targeted attack against Ukrainian infrastructure, ThreatSTOP feels that it's prudent, at this time, to recommend caution if you do business with Ukraine. The simplest way of mitigating the potential of infection for our customers is to enable the <strong>Geographic</strong> &gt; <strong>Eastern Europe</strong> or <strong>Ukraine</strong> targets (pictured below) in your policy. If communication with known secure assets in Ukraine is needed, they can then be added to a whitelist for your firewall.</p> <table align="center"> <tbody> <tr> <td style="text-align: center;">&nbsp;<img src="https://info.threatstop.com/hubfs/Article%20Internal%20Images/NotPetya/Eastern%20Europe%20Geo%20Target.png" alt="Eastern Europe Geo Target.png"></td> </tr> <tr> <td style="text-align: center;"><strong>Regular Target List</strong></td> </tr> <tr> <td style="text-align: center;"><img src="https://info.threatstop.com/hubfs/Article%20Internal%20Images/NotPetya/Ukraine%20Geo%20Target.png" alt="Ukraine Geo Target.png"></td> </tr> <tr> <td style="text-align: center;"><strong>Expert Target List</strong></td> </tr> </tbody> </table> <p>For those without a ThreatSTOP account, you can sign up for a free 30-day trial of ThreatSTOP's services by clicking below:</p> <p style="text-align: center;"></p> <p style="text-align: left;">Subscribe to our blog to get updates and information about the latest threats around the Internet by entering your email in the Email Subscription box and clicking <strong>Sign me up!</strong></p></span>